29. Container Virtualization Flashcards

1
Q

How did we create a virtual machine?

A

Start with a physical machine.

Create software (hypervisor) responsible for isolating the guest OS inside the VM

VM resources (memory, disk, networking, etc) are provided by the physical machine but visibility outside of the VM is limited

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are the three implications of creating a virtual machine?

A
  1. VM and physical machine share same instruction set, so must the host and guest
  2. Guest OS can provide a different application binary interface (ABI) inside the VM
  3. Lots of challenges in getting this to work because guest OS expects to have privileged hardware access
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

How do we create a virtual operating system (container)?

A
  1. Start with a real operating system.
  2. Create software responsible for isolating guest software inside the container.
  3. Container resources (processes, files, network sockets, etc) are provided by the real operating system but visibility outside the container is limited
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are the 3 implications of creating a virtual operating system (container)?

A
  1. Container and real OS share same kernel
  2. So applications inside and outside the kernel must share the same ABI
  3. Challenges in getting this to work are due to shared OS namespace
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

True or False: You can run Windows inside a container provided by Linux.

A

FALSE. Container shares the kernel with the host

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

True or False: You can run SUSE Linux inside an Ubuntu container.

A

TRUE. As long as both distributions use the same kernel, differences are confined to different binary tools and file locations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

True or False: Running ps inside the container will show all processes.

A

FALSE. Container process namespaces is isolated from the host

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is the difference between hypervisor and container virtualization?

A

The hypervisor exists above the Host OS and on top of that hypervisor are a number of Guest OSs. Above each Guest OS is a copy of the binaries/libraries and then the apps.

In container virtualization, multiple copies of the binaries/libraries and apps sit on top of the Host OS.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Why virtualize an operating system?

A

Shares many (but not all) of the benefits of hardware virtualization with much lower overhead

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Describe the three properties of Decoupling in container virtualization

A
  1. Cannot run multiple operating systems on the same machine
  2. Can transfer software setups to another machine as long as it has an identical or nearly identical hardware kernel
  3. Can adjust hardware container resources to system needs
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Describe the two properties of Isolation in container virtualization

A
  1. Container should not leak information inside and outside the container
  2. Can isolate all of the configuration and software packages a particular application needs to run
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is the hardware virtualization system call path?

A

Application inside the VM makes a system call.

Trap to the host OS (or hypervisor)

Hand trap back to the guest OS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is the OS virtualization system call path?

A

Application inside the container makes a system call.

Trap to the OS.

Remember all of the work we had to do to deprivilege the guest OS and deal with uncooperative machine architectures like x86? OS virtualization does not require any of this: there is only one OS!

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What kind of names must the container virtualize?

A

Process IDs:

  • top inside container shows only processes running inside container
  • top outside container may show processes inside the container, but with different PIDs

File names:

  • processes inside the container may have a limited or different view of the mounted file system
  • file names may resolve to different names - and some file names outside the container may be removed

User names:

  • containers may have different users with different roles
  • root inside the container should not be root outside the container

Host name and IP address:
-processes inside the container may use a different host name and IP address when performing network operations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What resources does OS virtualization concern itself with?

IOW: The OS may want to ensure that the entire container - or everything that runs inside it - cannot consume more than a certain amount of:

A

CPU time

Memory

Disk or network bandwidth

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What resources does Linux provide namespace separation for?

A

Mount points, process IDs, network, and devices.

17
Q

Describe how Linux handles namespace separation for mounting points.

A

Allows different namespaces to see different views of the file system

18
Q

Describe how Linux handles namespace separation for process IDs.

A

New processes are allocated IDs in their current namespace and all parent namespaces

19
Q

Describe how Linux handles namespace separation for networks.

A

Namespaces can have private IP addresses and their own routing tables, and can communicate with other namespaces through virtual interfaces

20
Q

Describe how Linux handles namespace separation for devices.

A

Devices can be present or hidden in different namespaces

21
Q

What do cgroups do?

A

cgrousp make it possible to control the resources (CPU time, memory, disk or network bandwidth) allocated to a set of processes

22
Q

How does path name resolution work in UnionFS?

A

UnionFS is a stackable unification file system

First: Does foo/bar exist in the top layer? If yes, return its contents

Else: Does foo/bar exist in the next layer? If yes, return its contents.

Etc…

Note: Can also stop at a certain point if access is only permitted to a certain level

23
Q

What is the principle underlying copy-on-write file systems?

A

Only make modifications to the underlying file system when the container modifies files

This speeds start up and reduces storage usage (the container mainly needs read-only access to host files)

24
Q

What is Docker?

A

Docker builds on previous technologies:

  • Provides a unified set of tools for container management on a variety of systems
  • Layered file system images for easy updates
  • Now involved in development of containerization libraries on Linux